CVE-2023-32320

EPSS 0.52%
Veröffentlicht 22.06.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 08:03:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's brute force protection allows someone to send more requests than intended

Brute force protection allows to send more requests than intended

Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 8 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 21.0.0 < 21.0.9.12

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 22.0.0 < 22.2.10.12

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.12.2

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.7

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.2

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 25.0.0, < 25.0.7

Version >= 26.0.0, < 26.0.2

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 21.0.0, < 21.0.9.12

Version >= 22.0.0, < 22.2.10.12

Version >= 23.0.0, < 23.0.12.7

Version >= 24.0.0, < 24.0.12.2

Version >= 25.0.0, < 25.0.7

Version >= 26.0.0, < 26.0.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.52%	0.664

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.7	2.2	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg

Patch

Vendor Advisory

https://github.com/nextcloud/server/pull/38274

Patch

https://hackerone.com/reports/1918525

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32320

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32320

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32320

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32320